Page 38 - FIGI: Security Aspects of Distributed Ledger Technologies
P. 38
the owner, or someone the owner provides the key custody as well as forms of custody – that is allowing
to, for example, an exchange. the assets to be placed on a DLT. 251
The evolving debate amongst regulators is wheth-
er having control of private keys on behalf of clients Mitigation and Recommendations:
is the equivalent to custody/safekeeping services, While requiring a third party private key management
244
and if so, whether the existing requirements should function – that is custodial solutions offered by third
apply to the providers of those services. parties for user keys - is contradictory and possibly
245
There are significant hurdles to overcome if tradi- even nugatory to the core ‘disintermediation’ prin-
tional custody banks are to engage with this emerg- ciples of DLTs. In all, these trade-offs may arguably
ing asset class, including operating models, tech- reduce the utility of DLTs. MPC-based custodians
nology, risk, compliance, and legal and regulatory may however, as noted above, provide some utility in
frameworks. securing wallet value through distributing keys.
246
This concentration of holding private keys of users, From a crypto-asset perspective (that is native cryp-
makes crypto-exchanges platforms a single point of to), there needs to be a consensus by regulators of
failure where clients have made these exchanges a what constitutes safekeeping services. One view
252
honeypot for hackers. The amount of stolen cryp- is that having control of private keys on behalf of
to-currency from exchanges in 2018 has increased 13 clients is the same as safekeeping services and that
times compared to 2017, reportedly USD 2.7 million rules to ensure the safekeeping and segregation of
in crypto assets stolen every day, or USD 1,860 each client assets should thus apply to the providers of
minute. those services. Multi-signature wallets, where sever-
247
The exchanges are usually FinTechs, with poor al private keys held by different individuals instead
operational security commensurate with the levels of of one are needed for a transaction to happen, will
assets they are meant to have custody of. Simply, any also require consideration. There may be a need to
253
regulated (legacy) instruction with such poor levels consider some ‘technical’ changes to some require-
of security would have been sanctioned or liquidated ments and/or to provide clarity on how to interpret
by regulators. them, as they may not be adapted to DLT technolo-
gy.
254
Risks:
Poor Security of Custodians and Customer Wallets: 8.5.3 Issue: Poor End User Account
A risk issue is whether the custodial they have the Management and Awareness
necessary measures in place to segregate assets and Irresponsible and inadequate management of access
safeguard them from hacks. Regulations in most of and authorization information is a common and tradi-
the world are silent on this type of custodial element, tional challenge. In the case of blockchain systems,
as private key custody is largely not yet codified as this includes the storage and security of private keys,
imputing possession and custody. Custodial solu- token addresses and account passwords (such as
tions for tokenized assets are being launched by with third party services.) The methods which bad
existing licensed financial service companies where actors use to gain unauthorized access through
the regulations allow this. In an example of the util- stolen credentials is typically not specific to DLTs
ity of an enabling bespoke crypto-asset regulatory and can be applied generally to digital and connect-
framework, the Swiss stock exchange SIX to develop ed services.
a trading platform for tokenized assets with a fully
integrated trading, settlement, and custody infra- Risks:
structure. The Swiss investment bank Vontobel Failure to adequately manage keys can lead to
248
launched the Digital Asset Vault to provide trading permanent loss or theft of funds
and custodial solutions to banks and asset manag- Failure to adequately manage these items can
ers. 249 lead to permanent loss or theft of funds and some
The potential for use of DLTs for securities and specific repercussions with regard to public block-
derivatives could increase investor control, improve chains, where no centralized authority is available
the efficiency of systemic risk distribution, and cre- to provide remedies, such as providing a user with a
ate a more diverse and resilient financial ecosys- lost address, lost private key or reversing a transac-
tem. The use of DLT for these purposes however tion to a dead wallet. The concept of ‘irreversibility’
250
still needs to be mandated, in particular what defines of transactions is fundamental to DLT principles. Use
of wallets or exchanges may also be comprised if the
36 Security Aspects of Distributed Ledger Technologies
